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1. INTRODUCTION 

Finding lower bounds on the complexity of polynomial functions over the complex 
numbers is one of the fundamental problems of algebraic complexity theory. It be- 
comes more tractable if we restrict the model of computation to arithmetic circuits, 
where the multiplication with scalars is restricted to constants of bounded absolute 
value. This model was introduced in a seminal work by [Morgenstern 1973; 1975], 
where it was proved that the complexity of multiplying a vector with some given 
square matrix A is bounded from below by the logarithm of the absolute value of 
the determinant of A. As a consequence, Morgenstern derived the lower bound 
log n for computing the Discrete Fourier Transform. 

[Valiant 1976; 1977] analyzed the problem to prove nonlinear lower bounds on 
the complexity of the Discrete Fourier Transform and related linear problems in 
the unrestricted model of arithmetic circuits. However, despite many attempts, 
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this problem is still open today. 

To motivate the bounded coefficient model (b.c. for short), we note that many 
algorithms for arithmetic problems, like the Fast Fourier Transform and the fast 
algorithms based on it, use only small constants. [Chazelle 1998] advocated the b.c. 
model as a natural model of computation by arguing that the finite representation 
of numbers is essentially equivalent to bounded coefficients. 

[Chazelle 1998] refined Morgenstern's bound by proving a lower bound on the b.c. 
linear complexity of a matrix A in terms of the singular values of A. His applications 
are nonlinear lower bounds for range searching problems. Several papers [Nisan 
and Wigderson 1995; Lokam 1995; Pudlak 1998] provided size-depth trade-offs 
for b.c. arithmetic circuits. The concept of matrix rigidity originally introduced 
in [Valiant 1977], hereby plays a vital role. A geometric variant of this concept 
(euclidean metric instead of Hamming metric) is closely related to the singular 
value decomposition of a matrix and turns out to be an important tool, as worked 
out in [Lokam 1995]. [Raz 2002] recently proved a nonlinear lower bound on the 
complexity of matrix multiplication in the b.c. model. To our knowledge, this paper 
and [Nisan and Wigderson 1995] are the only ones which deal with the complexity 
of bilinear maps in the b.c. model of computation. 

The main result of this paper (Theorem 4.1) is a nonlinear lower bound of order 
nlogn to compute the cyclic convolution of two given vectors in the b.c. model. 
This bound is optimal up to a constant factor. The proof is based on ideas in [Raz 
2002] to establish a lower bound on the complexity of a bilinear map (x, y) <— > tp(x, y) 
in terms of the complexity of the linear maps y <— > f(a, y) obtained by fixing the 
first input to a (Lemma 2.4). However, the linear circuit for the computation of 
y i ► f(a, y) resulting from a hypothetical b.c. circuit for tp has to be transformed 
into a small one with bounded coefficients. This can be achieved with a geometric 
rigidity argument by choosing a vector a at random according to the standard 
normal distribution in a suitable linear subspace of C m (Lemma 4.2). 

In the case of matrix multiplication, [Raz 2002] proceeded by applying a geo- 
metric rigidity bound to the resulting linear problem via the Hoffman- Wielandt 
inequality This approach does not yield good enough bounds in our situation, 
where we have to estimate the complexity of structured random matrices; in the 
case of the convolution these are circulant matrices. Instead, we treat the arising 
linear problem by extending Morgenstern's bound in a new way. We define the r- 
mean square volume of a complex matrix A, which turns out to be the square root 
of the r-th elementary symmetric function in the squares of the singular values of A. 
An important property of this quantity is that it is invariant under multiplication 
with unitary matrices from the left or the right. We prove that the logarithm of 
the r-mean square volume provides a lower bound on the b.c. complexity of the 
matrix A (Proposition (3.1)). This implies that the logarithm of the product of the 
largest r singular values is a lower bound on the b.c. complexity. 

We also study an extension of the bounded coefficient model of computation 
by allowing a limited number of help gates corresponding to scalar multiplications 
with unbounded constants. We can show that our proof technique is robust in the 
sense that it still allows to prove n log n lower bounds if the number of help gates is 
restricted to (1 — e)n for fixed e > 0. This is achieved by an extension of the mean 
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square volume bound (Proposition 6.1), which is related to the spectral lemma 
in [Chazelle 1998]. The proof is based on some matrix perturbation arguments. 

From the lower bound for the cyclic convolution we obtain nonlinear lower bounds 
for polynomial multiplication, inversion of power series, and polynomial division 
with remainder by noting that the well-known reductions between these prob- 
lems [Biirgisser et al. 1997] preserve the b.c. property. These lower bounds are 
again optimal up to order of magnitude. 

1.1 Organization of the paper 

In Section 2, we introduce the model of computation and discuss known facts facts 
about singular values and matrix rigidity. We also introduce some notation and 
present auxiliary results related to (complex) Gaussian random vectors. In Sec- 
tion 3 we first recall previously known lower bounds for b.c. linear circuits. Then 
we introduce the mean square volume of a matrix and prove an extension of Mor- 
genstern's bound in terms of this quantity. Section 4 contains the statement and 
proof of our main theorem, the lower bound on cyclic convolution. In Section 5, 
we derive lower bounds for polynomial multiplication, inversion of power series and 
division with remainder. Finally, in Section 6 we show that our results can be 
extended to the case, where a limited number of unbounded scalar multiplications 
(help gates) is allowed. 

2. PRELIMINARIES 

We start this section by giving a short introduction to the model of computation. 
2.1 The model of computation 

We will base our arguments on the model of algebraic straight-line programs over C, 
which are often called arithmetic circuits in the literature. For details on this model 
we refer to chapter 4 of [Biirgisser et al. 1997]. By a result in [Strassen 1973b], we 
may exclude divisions without loss of generality. 

Definition 2.1. A straight-line program T expecting inputs of length n is a se- 
quence (Ti, . . . , r r ) of instructions T s — (u) s ; i s ,j s ), w s G {*, +, — } or T s = (u s ; i s ), 
lu s G C, with integers i s ,j s satisfying — n < i s ,j s < s. A sequence of polynomials 
b-n+i, ■ ■ ■ ,b r is called the result sequence of T on input variables ai, . . . ,a n , if for 
— n < s < 0, b s = a n+s , and for 1 < s < r, b s = bi g u> s bj g if T s = (u; s ;i s ,j s ) and 
b s = uj s bi s if T s = (u> s ;i s ). T is said to compute a set of polynomials F on input 
ai, . . . , a n , if the elements in F are among those of the result sequence of T on that 
input. The size S(T) of T is the number r of its instructions. 

In the sequel we will refer to such straight-line programs briefly as circuits. A 
circuit in which the scalar multiplication is restricted to scalars of absolute value at 
most 2 will be called a bounded coefficient circuit (b.c. circuit for short). Of course, 
the bound of 2 could be replaced by any other fixed bound. Any circuit can be 
transformed into a b.c. circuit by replacing a multiplication with a scalar A with at 
most log | A | additions and a multiplication with a scalar of absolute value at most 2. 
Unless otherwise stated, log will always refer to logarithms to the base 2. 

We now introduce restricted notions of circuits, designed for computing linear 
and bilinear maps. 
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Definition 2.2. A circuit T = (T\, . . . , T r ) expecting inputs X\, . . . , X n is called 
a linear circuit, if uj s e { + , — } for every instruction T s = (u) s ;i s ,j s ), or u s e C if 
the instruction is of the form (lu s ; i s ). A circuit on inputs X\, . . . , X m , Y±, . . . , Y n 
is called a bilinear circuit, if its sequence of instructions can be partitioned as 

r = (r«,r( 2 ),r( 3 \r( 4 )), where 

(1) is a linear circuit with the Xi as inputs, 

(2) I^ 2 ) is a linear circuit with the Yj as inputs, 

(3) each instruction from I^ 3 ) has the form with e L^ and Tj S I^ 2 ), 

(4) r^ 4 ^ is a linear circuit with the previously computed results of I^ 3 ) as inputs. 

In other words, r' 1 ) and T^ 2 ^ compute linear functions fi, . . . , fk m the Xi and 
gi,...,gt in the Yj. then multiplies the fi with the gj and r' 4 ) computes 

linear combinations of the products fogj. 

It is clear that linear circuits compute linear maps and that bilinear circuits com- 
pute bilinear maps. On the other hand, it can be shown that any linear (bilinear) 
map can be computed by a linear (bilinear) circuit such that the size increases 
at most by a constant factor (cf. [Biirgisser et al. 1997, Theorem 13.1, Proposi- 
tion 14.1]). This remains true when considering bounded coefficient circuits, as can 
easily be checked. From now on, we will only be concerned with bounded coefficient 
circuits. 

Definition 2.3. By the b.c. complexity C((p) of a bilinear map ip: C m x C" — > C p 
we understand the size of a smallest b.c. bilinear circuit computing <p. By the 
b.c. complexity C(ip A ) of a linear map ip A : C" — > C m (or the corresponding matrix 
A e C mxn ), we understand the size of a smallest b.c. linear circuit computing f A . 

By abuse of notation, we also write C(F) for the smallest size of a b.c. circuit 
computing a set F of polynomials from the variables. (There is no serious danger 
of confusion arising from this, since these complexity notions differ at most by a 
constant factor.) 

Let ip: C m x C" — > C p be a bilinear map described by <fk(X, Y) = J^i j dijkXiYj. 
Assuming \aijk\ < 2, it is clear that C(<p) < 3mnp. Therefore, if fi, . . . , fk are the 
linear maps computed on the first set of inputs by an optimal b.c. bilinear circuit 
for ip, we have k < <S(r) < Zmnp. 

The complexity of a bilinear map ip can be related to the complexity of the 
associated linear map ip(a, — ), where a e C m . We have taken the idea behind the 
following lemma from [Raz 2002] . 

Lemma 2.4. Let ip: C m x C" — > C p be a bilinear map and F be a b.c. bilinear 
circuit computing ip. If f\, ■ ■ ■ , fk ar e the linear maps computed by the circuit on 
the first set of inputs, then for all a £ C m : 

C(<p(a,-)) < 5(F) +p log (max |/, (a) |). 

j 

Proof. Let a G C m be chosen and set 7 = max^ \fj(a)\. Transform the circuit T 
into a linear circuit T' by the following steps: 

(1) replace the first argument x of the input by a, 
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(2) replace each multiplication by fi(a) with a multiplication by 27 fi(a), 

(3) multiply each output with 7/2 by simulating this with at most log (7/2) addi- 
tions and one multiplication with a scalar of absolute value at most 2. 

This is a b.c. linear circuit computing the map tp(a, — ) : C™ — > C p . Since there are 
p outputs, the size increases by at most plog7- □ 

2.2 Singular values and matrix rigidity 

The Singular Value Decomposition (SVD) is one of the most important matrix 
decompositions in numerical analysis. Lately, it has also come to play a prominent 
role in proving lower bounds for linear circuits [Chazelle 1998; Lokam 1995; Raz 
2002] . In this section, we present some basic facts about singular values and show 
how they relate to notions of matrix rigidity. For a more detailed account on the 
SVD, we refer to [Golub and Van Loan 1996]. We also find [Courant and Hilbcrt 
1931, Chapt. 1, Sect. 4] a useful reference. 

The singular values of A e C mx " j ci > . . . > cr m i n { m .„}, can be defined as the 
square roots of the eigenvalues of the hermitian matrix AA* . Alternatively, they 
can be characterized as follows: 

<r r+ i = min{||A - B\\ 2 I B e C mxn ,rk(B) < r}, 

where || • || denotes the matrix 2-norm. An important consequence is the Courant- 
Fischer min-max theorem stating 

\\M\2 

oy+i = mm max — — - — . 

codimV=r xeV~{0} ||x|| 2 

This description implies the following useful fact from matrix perturbation theory: 

a r+h {A)<a r {A + E) (1) 

if the matrix E has rank at most h. 

More generally, for any metric d on C mx " (or 'S mxn ) and 1 < r < min {m,n}, 
we can define the r-rigidity of a matrix A to be the distance of A to the set of all 
matrices of rank at most r with respect to this metric: 

rig d r (A) = min{d(A,B) | B e C mx ",rk(B) < r}. 

Using the Hamming metric, we obtain the usual matrix rigidity as introduced 
in [Valiant 1977]. On the other hand, using the metric induced by the 1, 2-norm 
||-A||i,2 : = max|| a ,j| 1=1 ||Ac||2, we obtain the following geometric notion of rigidity, 
as introduced in [Raz 2002]: 

rig r ( J 4) = min max dist(dj, V). 

dim V— r l<i<n 

Here, the are the column vectors of A e £?nxn anc j denotes the usual 
euclidcan distance. 

Notions of rigidity can be related to one another the same way the underlying 
norms can. In particular, we have the following relationship between the geometric 
rigidity and the singular values: 

-La r+1 (A) < rig r (A) < a r+1 (A). 
v ^ 
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The proofs of these inequalities are based on well known inequalities for matrix 
norms. For instance, if B is a matrix of rank at most r with columns bi, we have 

1 " 1 1 

||i4-B||? i2 = max||ai-6i||| > - Vlk-^H 2 . > -\\A-B\\ 2 2 > -a 2 +1 , 

which shows the left inequality. 

2.3 Complex Gaussian vectors 

A random vector X = (X\, . . . , X n ) in W 1 is called standard Gaussian iff its com- 
ponents Xi are i.i.d. standard normal distributed. It is clear that an orthogonal 
transformation of such a random vector is again standard Gaussian. 

Throughout this paper, we will be working with random vectors Z assuming 
values in C™. However, by identifying C" with M. 2n , we can think of Z as a 2n- 
dimcnsional real random vector. In particular, it makes sense to say that such Z is 
(standard) Gaussian in C™. 

Let U be an r-dimensional linear subspace of C™. We say that a random vector Z 
with values in U is standard Gaussian in U iff for some orthonormal basis b\ , . . . , b r 
of U we have Z = J2j(jbj, where the random vector (Q) of the components is 
standard Gaussian in C. It is easy to see that this description does not depend 
on the choice of the orthonormal basis. In fact, the transformation of a standard 
Gaussian vector with a unitary matrix is again standard Gaussian, since a unitary 
transformation C r — ► C r induces an orthogonal transformation R 2r — > M 2r . 

The easy proof of the following lemma is left to the reader. 

Lemma 2.5. Let (Z\, . . . , Z n ) be standard Gaussian in C™. Consider a complex 
linear combination S = f\Z\ + . . . + f n Z n with f — (fi, ■ ■ ■ , f n ) € C". Then the 
real and imaginary parts of S are independent and normal distributed, each with 
mean and variance ||/|| 2 . Moreover, T := |5| 2 /2||/|| 2 is exponentially distributed 
with parameter 1. That is, the density function is e~* for t > and the mean and 
the variance of U are both equal to 1. 

2.4 Two useful inequalities 

Let X, Y be i.i.d. standard normal random variables and set 7 :— 1 — E[logX 2 ] and 
9 := E[log 2 (X 2 + Y 2 )]. Evaluating the corresponding integrals yields 

1 f°° 

7= -= I t- 1/2 e- t logtdt^2.83 

V* Jo 

1 f°° 

6 = - I e-*' 2 log 2 tdt w 3.45. 

2 Jo 

Lemma 2.6. Let Z be a centered Gaussian variable with complex values. Then 
< logE[|Z| 2 ] -E[log|Z| 2 ] <7, Var(log|Z| 2 ) < 9. 

Proof. By a principal axis transformation, we may assume that Z = XiX + 
i\2Y with independent standard normal X, Y. The difference A := logE[|Z| 2 ] — 
E[log \Z\ 2 ] is nonnegative, since log is concave (Jensen's inequality). By linearity of 
the mean, A as well as Var(log \ Z\ 2 ) are invariant under multiplication of Z with 
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scalars. We may therefore w.l.o.g. assume that 1 = Ai > A 2 . From this we see that 
logEp| 2 ] = logE[X 2 + \ 2 2 Y 2 ] < logE[X 2 + Y 2 ] = 1 
E[log \Z\ 2 ] = E[log (X 2 + \ 2 Y 2 )} > E[logX 2 } = l- 7 , 

which implies the first claim. The estimates 

Var(log \Z\ 2 ) < E[log 2 \Z\ 2 } < E[log 2 (A: 2 + Y 2 )] = 6. 

prove the second claim. □ 

3. THE MEAN SQUARE VOLUME BOUND 

Morgenstern's bound [Morgcnstcrn 1973] states that C(A) > log | det (^4) | for a 
square matrix A, see also [Biirgisser et al. 1997, Chapter 13] for details. We are 
going to study several generalizations of this bound. 

Let A e C mx ™ be a matrix. For an r-subsct / C [m] := {1, . . . , to} let Aj denote 
the submatrix of A consisting of the rows indexed by /. The Gramian determinant 
det Aj A} can be interpreted as the square of the volume of the parallelepiped 
spanned by the rows of Ai (A* denotes the complex transpose of A) . 

[Raz 2002] defined the r- volume of A by 

voL(A) := max (dot A/^) 1/2 

|/|=r 

and observed that the proof of Morgenstern's bound extends to the following r- 
volume bound: 

C(A)>\ogvol r (A). (2) 
Moreover, [Raz 2002] related this quantity to the geometric rigidity as follows: 

voL(A) > (rig r (A)r, 
which implies the rigidity bound, 

C(A)>r\ogrig r (A). (3) 

For our purposes it will be important to work with a variant of the r-volume 
that is completely invariant under unitary transformations. Instead of taking the 
maximum of the volumes (dot AjA^) 1 / 2 , we will use the sum of the squares. We 
define the r-mean square volume msv r (A) of A e C mx ™ by 

/ \ 1/2 / x 1/2 

msv r (A) := ^ det AiA\ J = ^ | det yij,,/' 2 

Hereby, Aj : j denotes the r x r submatrix consisting of the rows indexed by / and 
columns indexed by J. The second equality is a consequence of the Binet-Cauchy 
formula dct^/A} = J2\j\= r I det ^/,j| 2 > see [Bellman 1997, Chapter 4]. The choice 
of the L 2 -norm instead of the maximum norm results in the following inequality 



vol r (A) < msv r (A) < y vol r (A). (4) 
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The mean square volume has the following nice properties, which are all easy to 
verify: 

msv r (A) — msv r (A*), msv r (\A) = \X\ r msv r (A), msv r (A) = msv r (UAV), 

where A 6 C and U and V are unitary matrices of the correct format. Note also 
that msv n (A) = | det A\ for A E C nxn . The unitary invariance allows to express 
the mean square volume of A in terms of the singular values o\ > > a p 

of A, p := min{m, n}. It is well known [Golub and Van Loan 1996] that there are 
unitary matrices U e C mxm and V G C" x " such that U*AV = diagOi, . . .,a p ). 
Hence we obtain 

msvl(A) =msv^(diag(<7i,...,c7 J) )) = ^11^ - a ^ ' ' ' a r, ( 5 ) 

\I\=ri£l 

where I runs over all r-subsets of [p\. Hence, the square of the r-mean square 
volume of a matrix is the r-th elementary symmetric polynomial in the squares of 
its singular values. 

Combining the r-volume bound (2) with (4) we obtain the following mean square 
volume bound. 

Proposition 3.1. For a matrix A e £ mxn and r e N with 1 < r < min{m,n} 
we have 

Tfl 

C(A)>\ogmsv r (A)--. (6) 

Remark 3.2. The r-volume can be seen as the 1, 2-norm of the map A r A induced 
by A between the exterior algebras A r C™ and A r C m (see e.g., [Lang 1984] for 
background on multilinear algebra). Similarly, the mean square volume can be 
interpreted as the Frobcnius norm of A r A. The unitary invariance of the mean 
square volume also follows from the fact that A r is equivariant with respect to 
unitary transformations and that the Frobenius norm is invariant under such. 

4. A LOWER BOUND ON CYCLIC CONVOLUTION 

In this section we use the mean square volume bound (6) to prove a lower bound 
on the bilinear map of the cyclic convolution. 

Let / = Y^i=o a i xt an< ^ 9 = T^i=v biX % be polynomials in C[X]. The cyclic 
convolution of / and g is the polynomial h = Y^i=o c % x% ■> which is given by the 
product of / and g in the quotient ring C[X]/(X n — 1). More explicitly: 

c k = a^j, < k < n. 

i+j=k mod n 

Cyclic convolution is a bilinear map on the coefficients. For a fixed polynomial with 
coefficient vector a = (ao, . . . , a n -i), this map turns into a linear transformation 
with the circulant matrix 

f a ax ... a„_i\ 
Circ(a)= 00 a "- 2 

\ ai a 2 ... a ) 
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Let DFT„ = (u/' fe )o<j,fc<n be the matrix of the Discrete Fourier Transform, with 
uj = e 2 W™. It is well known [Golub and Van Loan 1996, Sect. 4.7.7] that 



Hence the singular values of Circ(a) are |An|, . . . , |A„_i | (in some order). Note that 
n~ 1//2 DFT„ is unitary. 

We recall that the Fast Fourier Transform provides a b.c. bilinear circuit of size 
0(n log n) that computes the n-dimensional cyclic convolution. The main result of 
the paper is the optimality of this algorithm in the b.c. model. 

Theorem 4.1. The bounded coefficient complexity of the n-dimensional cyclic 
convolution conv„ satisfies C(conv„) > yjnlogn — O(nloglogra). 

In fact, the proof of the theorem shows that we can replace the constant fac- 
tor 1/12 by the slightly larger value 0.086. We state the theorem with 1/12 for 
simplicity of exposition. 

4.1 Bounding the absolute values of linear forms 

To prepare for the proof, we need some lemmas. The idea behind the following 
lemma is already present in [Raz 2002]. Wc will identify linear forms on C" with 
vectors in C™. 

Lemma 4.2. Let /i, . . . , fk € C" be linear forms and let 1 < r < n. Then there 
exists a complex subspace U C C" of dimension r such that for a standard Gaussian 
vector in U , we have 



Proof. Set R — rig n _ r (/i, . . . ,/fe). Then there exists a linear subspace V C C™ of 
dimension n — r such that dist(/j, V) < R for all 1 < i < k. Let f[ be the projection 
of fi along V onto the orthogonal complement U := V 1 - of V. By our choice of the 
subspace V we have ||/ 4 '|| < R. 

Let (&i, . . . , b n ) be standard Gaussian in C" and a be the orthogonal projection 
of b onto U along V. Then a is standard Gaussian in U. Moreover, we have f-(b) = 
fi(a). By Lemma 2.5, the random variable T = |/,-(6)| 2 /(2||/j'|| 2 ) is exponentially 
distributed with parameter 1. 

The assertion now follows from standard large deviations arguments. For any 
real A, we have 



Circ(a) = (— DFT„) 1 diag(A , . . . , A„_ 1 )^DFT 




where the eigenvalues A& of Circ(a) are given by 

(An, • • • , A„_!) T = DFT„(a , . . . , a„_i) 



(7) 



P [max |/,(a)| < 2^\n(4k) ng n _ r (f u . . . , f k )] > \. 



P [T > A] = E[1 t >a] < E[ e ( T - A )/ 2 ] - e- A / 2 E[e T / 2 ]. 



On the other hand, 
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since E[T k ] — J Q x k e x dx = hi. It follows that 

P[T>A]=P[|/;(6)| 2 >2A||/;|| 2 ] <2e-V2. 
Since \\f-\\ < R, we have for a fixed i that 

P \\fi(a)\ > V2\r] < 2e- x ' 2 . 
By the union bound we obtain 



max |/, (a) | > V2XR 

i 

Setting A — 2 In (4fc) completes the proof. □ 
4.2 Proof of the main result 

In the next lemma, we state a lower bound on the b.c. linear complexity of the 
circulant. 

Lemma 4.3. Let U C C™ be a subspace of dimension r. For a standard Gaussian 
vector a in U , we have 



C(Circ(a)) > -rlogn — cn 



1 



where c = ±(2+7+V2#) w 3.73 ; and 7, are the constants introduced in Section 2.4- 

We postpone the proof of this lemma and proceed with the proof of the main 
theorem. 

Proof, (of Theorem 4.1) Let T be a b.c. bilinear circuit for conv„, which computes 
the linear forms fi, - ■ ■ ,fk on the first set of inputs. Fix 1 < r < n, to be specified 
later, and set R = rig„_ r (/i, . . . ,/fe). By Lemma 4.2 and Lemma 4.3 there exists 
an a € C™, such that the following conditions hold: 



(1) ma Xl <,a \fi{a)\ < 2^\n (4k) R, 

(2) C(Circ(a)) > \r\ogn~cn. 

By Lemma 2.4 and the fact that k < 3n 3 , we get 



5(F) + n log (2^/ln (12n 3 ) R) > C(Circ(o)). (8) 

On the other hand, the rigidity bound (3) implies the following upper bound on R 
in terms of S(T): 

5(r)>C(/i,...,/ fc )>(n-r)Iogi2. 

By combining this with (8) and using the second condition above, we obtain 

/ n \ r 

H 5(r) > - logn - 0(n log logn). 

V n — r ) 2 

Setting e = r/n yields 

5(r) > ^ - ^ n log n - 0(n log log n). 
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A simple calculation shows that the coefficient of the n log n term attains the max- 
imum 0.086 for e w 0.58. Choosing e = 1/2 for simplicity of exposition finishes the 
proof. □ 

Before going into the proof of Lemma 4.3, we provide a lemma on bounding the 
deviations of products of correlated normal random variables. 

Lemma 4.4. Let Z = (Z\,...,Z r ) be a centered Gaussian vector in C r . De- 
fine the complex covariance matrix of Z by S r := (E(ZjZk))j,k and put S := 
2 -h+V28) ~ o 02. Then we have E(|Zi| 2 • • • \Z r \ 2 ) > det £ r and 

P ^Z^ 2 ■■■\Z r \ 2 > <5 r dct£ r ] > i. 

Proof. For proving the bound on the expectation decompose Z r = £ + r\ into a 
component £ in the span of Z\, . . . , Z r -\ plus a component r\ orthogonal to this 
span in the Hilbert space of quadratic integrable random variables with respect 
to the inner product defined by the joint probability density of Z. Therefore, 
|-ZV| 2 = |£| 2 + £jj + + \n\ 2 , hence by independence 

EdZil 2 • • • \Z r ^\ 2 \Z r \ 2 ) = Ed^l 2 • • • \Z r ^\ 2 \^\ 2 ) + EdZil 2 • • • \Z r ^\ 2 )E(\ V \ 2 ) 

> Ed^l 2 - - - |^_i| 2 ) E(H 2 ). 

By interpreting the Gramian determinant det S r as the square volume of the paral- 
lelepiped spanned by the random vectors Z\ , . . . , Z r in the Hilbert space, we obtain 

det£ r = detE r _iE(|77| 2 ). 

The desired bound on the expectation E^Z^ 2 ■ ■ ■ \Z r \ 2 ) > det thus follows by 
induction on r. Noting that E(|Z r | 2 ) > E(|7y| 2 ), we also conclude from the above 
equation that 

E(|Zi| 2 )---E(|Z r | 2 ) >detS r . (9) 

In order to prove the probability estimate for the random product \Z\ | 2 • • • \Z r \ 2 , 
we first transform the product into a sum by taking logarithms. For every e > 
Chebychev's inequality yields the bound 

p[l|t(lo e |^-E[lo g |Z,n)|> t ]< Vaj( g^ |Zj|2) . ,10) 

For the variance we have by Lemma 2.6 

Var(]T log \Zj\ 2 ) = J2 Cov(log \Zj\ 2 , log \Z k \ 2 ) 

< ^Var^og |Z,-| 2 )Var(log \Z k \ 2 ) < r 2 0. 
Setting e 2 = 26 in this equation and after exponentiating in (10) we obtain 



|Zl| 2 "-|^r| 2 < 2 - £r +^=i E [ lo sl^l 
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By combining the bound (9) with Lemma 2.6 we get 

r r 

log det S r < log E[| Z t | 2 ] < 7 r + £ E [log | Z t 

i=l i=l 

Hence we conclude from (11) that 

|Zi| 2 ---|Z r | 2 < 2^( £+ ^ r detE r 
from which the lemma follows. □ 



Proof, (of Lemma 4.3) By equation (7) we have A = DFT„a and the singular values 
of the circulant Circ(a) are given by the absolute values of the components of A. 
Setting 

a = n'^X = n" 1 / 2 DFT n a, 
we obtain for the r-mean square volume by (5) 

msv 2 (Circ(a)) = n r £ \a t \ 2 . (12) 

\I\=r iel 

Now let a be a standard Gaussian vector in the subspace U of dimension r. Let 
W by the image of U under the unitary transformation n _1 / 2 DFT n . As a unitary 
transformation of a, a is standard Gaussian in the subspace W (cf. Section 2.3). 
This means that there is an orthonormal basis b\,. . . ,b r of W such that 

a = 0ibi H h (3 r b ri 

where (/3,) is standard Gaussian in C r . Let B G C™ xr denote the matrix with the 
columns b\ , . . . , b r and let Bj be the submatrix of B consisting of the rows indexed 
by /, for / C [n] with |/| = r. Setting otj = (oti) ieI we have aj = Bj/3. The 
complex covariance matrix of otj is given by S := E^a/aJ] = BjB}, hence 

detS = |dctS/| 2 . 

We remark that | det Bi\ 2 can be interpreted as the volume contraction ratio of the 
projection C"^C',a H a i restricted to W. For later purposes we also note that 

e(NI 2 )-E,I^I 2 <i- 

By the Binet-Cauchy formula and the orthogonality of the basis (6^) we get 
^ \ det Bi\ 2 = det((bi,bj))i<ij< r = 1. 

|7|=r 

Therefore, we can choose an index set / such that 

-l 



ii 



|dctS/| 2 > > 2- 

By applying Lemma 4.4 to the random vector aj and using (12), we get that with 
probability at least 1/2, 

msv 2 (Circ(a)) > n r S r det S > n r 6 r 2- n , (13) 
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where <5 = 2~( 7+v ^). The mean square volume bound (6) implies that 

n 1 1 

C(Circ(a)) > logmsv r (Circ(a)) - — > -rlogn— -(2 + log<5 _1 )n, 

with probability at least 1/2. This proves the lemma. □ 
5. MULTIPLICATION AND DIVISION OF POLYNOMIALS 

By reducing the cyclic convolution to several other important computational prob- 
lems, we are going to derive lower bounds of order n log n for these problems. These 
bounds are optimal up to a constant factor. However, we did not attempt to opti- 
mize these factors. 

5.1 Polynomial multiplication 

Let / = J27=o a i xl an d 9 = YllZo biX 1 be polynomials in C[X] and fg = X^"o~ 2 ° iX% ■ 
Clearly, we can obtain the coefficients of the cyclic convolution of / and g by adding 
Cfe to Ck+n f° r < k < n. This observation and Theorem 4.1 immediately imply 
the following corollary. 

Corollary 5.1. The bounded coefficient complexity of the multiplication of poly- 
nomials of degree less than n is at least j^nlogn — O(nloglogn). 

5.2 Division with remainder 

We will first derive a lower bound on the inversion of power series mod X n+1 and 
then use this to get a lower bound for the division of polynomials. 

Let C[[X]] denote the ring of formal power series in the variable X. We will study 
the problem to compute the first n coefficients bi 6„ of the inverse in C[LY]] 



k=i 



of the polynomial / = 1 — Y^i=i a iX l given by the coefficients ai. We remark that 
the bk are polynomials in the a,, which are recursively given by 



fc-i 



bo ■= 1, h = ak-jbj. 

i=0 

Note that the problem to invert power series is not bilinear. [Sicvcking 1972] and 
[Kung 1974] designed a b.c. circuit of size 0(n log n) solving this problem. 

We now prove a corresponding lower bound on the b.c. complexity of this problem 
by reducing polynomial multiplication to the problem to invert power series. 

Theorem 5.2. The map assigning to oi, , . . . , a n the first n coefficients b\, . . . , b n 
of the inverse of f = 1 — Y^i=i a iX l in the ring of formal power series has bounded 
coefficient complexity greater than ^nlogn — 0(n log log n). 

Proof. Put g — YJ" =1 aiX 1 . The equation 

fe=l y fc=0 
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shows that g 2 is the homogeneous quadratic part of YlkLi bkX k in the variables a,. 

Let T be an optimal b.c. circuit computing b\, . . . ,b n . According to the proof in 
[Burgisser et al. 1997, Theorem 7.1], there is a b.c. circuit of size at most 9<S(r) 
computing the homogeneous quadratic parts of the b\ , . . . , b n with respect to the 
variables a^. This leads to a b.c. circuit of size at most 9<S(T) computing the 
coefficients of the squared polynomial g 2 . 

Now let m := [n/3\ 7 and assume that g — g\ + X 2m g2 with 31,32 of degree 
smaller than m. Then 

g 2 = g 2 + 2 gi g 2 X 2m +g 2 X im , 

By the assumption on the degrees we have no "carries" and we can therefore find 
the coefficients of the product polynomial g±g 2 among the middle terms of g 2 . Thus 
we obtain a b.c. circuit for the multiplication of polynomials of degree m — 1. The 
theorem now follows from Corollary 5.1. □ 

We now show how to reduce the inversion of power series to the problem of 
dividing polynomials with remainder. The reduction in the proof of the following 
corollary is from [Strassen 1973a], see also [Biirgisscr et al. 1997, Section 2.5]. 

COROLLARY 5.3. Let f,g be polynomials with n — deg / > m — degg and g 
be monic. Let q be the quotient and r be the remainder of f divided by g, so that 
f = qg + r and degr < degg. The map assigning to the coefficients of f and g the 
coefficients of the quotient q and the remainder r has bounded coefficient complexity 
at least g^nlogn — 0(n log log n). 

Proof. Dividing / = X 2n by g = J27=o a iX n ~ l , where do = 1, we obtain: 

n n n— 1 

x 2 - = ( ]T QiX') ( J2 + E r * xl - 

i=o i=a i=a 

By substituting X with l/X in the above equation and multiplying with X 2n , we 
get 



i = (E^"i(E^) + E^ 2 



r2n— i 

i=0 ' ' i=0 ' i=0 

Since the remainder is now a multiple of X n+1 , we get 



( ^ a t X l ) = ( E <li xn ~ l ) mod xn+1 

i=0 



From this we see that the coefficients of the quotient are precisely the coefficients 
of the inverse mod X n+1 of J27=o a iX l in the ring of formal power series, and the 
proof is finished. □ 



6. UNBOUNDED SCALAR MULTIPLICATIONS 

We extend our model of computation by allowing some instructions corresponding 
to scalar multiplications with constants of absolute value greater than two, briefly 
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called help gates in the sequel. If there are at most h help gates allowed, we denote 
the corresponding bounded coefficient complexity by the symbol C] x . 

We are going to show that our proof technique is robust in the sense that it still 
allows to prove nlogn lower bounds if the number of help gates is restricted to 
(1 — e)n for fixed e > 0. 

6.1 Extension of the mean square volume bound 

As a first step we extend the mean square volume bound (5) and (6) for dealing 
with help gates. 

PROPOSITION 6.1. Assume A e C mx ™ has the singular values a\ > . . . > a p , 
where p := min {m, n}. For all integers s, h with \ < s < p — h we have 

h+s 

- , \ to m 

Ch(A) > 2^ iog' 7 * - y + h > s\oga h+s - — + h. 

i=h+l 

Proof. Let T be a b.c. circuit with at most h help gates, which computes the linear 
map corresponding to A. Without loss of generality, we may assume that T has 
exactly h help gates. Let i e /, be the linear forms computed at the help gates 
of r. We transform the circuit T into a b.c. circuit V by replacing each help gate 
with a multiplication by zero. This new circuit is obviously a b.c. circuit of size 
SiT') = S(Y) — h, computing a linear map corresponding to a matrix B e C mx ™. 
The linear maps corresponding to A and B coincide on the orthogonal complement 
of spanjgi | i e 1} in C m , therefore B = A + E for a matrix E of rank at most h. 
From the perturbation inequality (1) we obtain that 

0i(-B) > °~i+h(A) iovi<p-h. 
By (5) this implies for s < p — h that 

0<ii<---<i e <p—h h<ii<-<i B <p 

On the other hand, by the mean square volume bound (6) we have 

Tfi 

S{T) -h = S{V) > logmsv s (B) - —. 
Combining the last two estimates completes the proof. □ 

Remark 6.2. 1. Proposition 6.1 implies that C(i_ £ )„(DFT„) > e(^n\ogn — n) 
for the Discrete Fourier Transform DFT„, provided < e < 1. 

2. Note that the number h of help gates may be replaced by the dimension of 
the subspace spanned by the linear functions computed at the help gates. 

3. Proposition 6.1 can be seen as a variant of the spectral lemma in [Chazelle 
1998]. Using entropy considerations, Chazelle obtained the slightly worse lower 
bound fi((r — 2h) logov) for the b.c. complexity of a matrix A £ R" x ™ with at most 
h help gates. While this allows to handle at most n/2 help gates, Chazelle's result 
is stronger in the sense that it involves a more general notion of help gates, which 
are allowed to compute any function of the previous intermediate results. 
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6.2 Extremal values of Gaussian random vectors 



In this section we derive the following auxiliary result about the distribution of the 
maximal absolute value of the components of a Gaussian random vector. 

Lemma 6.3. 1. A centered Gaussian random vector X = (X\, . . . ,X n ) in R" 
with max, E(Xf) < 1 satisfies for any e > 



lim P 

n— >oo 



max \XA > V2 Inn + e 



= 0. 



2. A centered Gaussian random vector (Z\, . . . , Z n ) in C" with maxj E(|^| 2 ) < 1 
satisfies for any e > 



lim P 

n—>oo 



maxl^il > 2y / In(2n) + e 



= 0. 



Proof. 1. Since X is centered we have for any u € 



max \X; I > u 



< P 



maxX; > u 



max(— Xi) > u 



< 2P 



maxl; > u 



For proving the first assertion it is therefore sufficient to show that for any e > 

(14) 



lim P 

'OG 



max X % > V2 In n + e 



= 0. 



For this we may assume that the components of X are uncorrelated. In fact, 
Slcpian's inequality (see [Ledoux and Talagrand 1991]) implies that for centered 
Gaussian vectors X = (X\, . . . , X n ) and Y = (Y\, . . . , Y n ) we have 



maxX, < u 



< P 



maxK < u 



provided E(X?) = E(lf ) and EpQXj) < E(YjYj) for all i, j. 

We may also assume that all the Xi have variance 1 since the distribution function 

1 f u t 2 

FAu) := w^L cM -^ )dL 

of a centered normal random variable with variance a 2 < 1 satisfies F\ (u) < F a (u) 
for all u > 0. Hence, if X is a Gaussian vector with uncorrelated components Xi 
of variance of < 1, we have 



Fi(u) n <Y[F ai (u) = P 



maxl, < u 



In the case where X\ , . . . , X n are independent and standard normal distributed 
we have according to [Cramer 1946] that 

n — > oo 



E(maxXi) = V21nn + o(l), Var(maxX 4 ) = 1- -L (1 + o(l)), 
i » 12 Inn 



and Claim (14) follows from Chebychev's inequality. 

2. The second assertion follows from the first one applied to the Gaussian vec- 
tor W with values in M. 2n given by the real and imaginary parts of the Zi (in some 
order). Note that 
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6.3 Cyclic convolution and help gates 

Our goal is to prove the following extension of Theorem 4.1. 

Theorem 6.4. The bounded coefficient complexity with at most (1 — e)n help 
gates of the n-dimensional cyclic convolution conv„ is at least Q(n\ogn) for fixed 
< e < 1. 

The proof follows the same line of argumentation as in Section 4. We first state 
and prove an extension of Lemma 4.3. 

Lemma 6.5. Let U C C™ be a subspace of dimension r and h £ N with h < r. 
For a standard Gaussian vector a in U , we have 



C/j(Circ(a)) > i(r — h) log n — n(c + log log n) 



> 



1 



for some constant c > 0. 



Proof. As in the proof of Lemma 4.3 we assume that the random vector a = 
n _1 / 2 DFT„a is standard Gaussian with values in some r-dimensional subspace W. 
Recall that v^l^il are the singular values of Circ(a). We denote by la*- 1 ^ > 
. . . > |a(™)| the components of a with decreasing absolute values. In particular, 
\a^\ = maxi \a^\. Proposition 6.1 implies that 

C fc (CSrc(o)) > lo ^ I) - \ + h 

i=h+l 

= ^(r-h)logn + log( f[ \ a ^\\-^+h. 

In the proof of Lemma 4.3 (13) we showed that msv^(Circ(o)) > n r 5 r 2~ n with 
probability at least 1/2. In the same way, one can show that with probability at 
least 3/4 we have msv^(Circ(a)) > n r c" for some fixed constant c\ > 0. From the 
estimate 

E IlN 2 ^ 2«n|a«| 2 

\I\=r iel i=l 

we thus obtain that Yll=i W^\ 2 > (ci/2)™ with probability at least 3/4. 

By applying Lemma 6.3 to the centered Gaussian random variable a we obtain 
that with probability at least 3/4 

max la*- 1 ) | 2 = | 2 < c 2 logn 

i 

for some fixed constant c 2 > 0. (Recall that E(|aW| 2 ) < 1.) 

Altogether, we obtain that with probability at least 1/2 we have 

A |a(0|a > nui^i 2 > (^_Y 

This completes the proof of the lemma. □ 
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Proof, (of Theorem 6.4) Let T be a b.c. bilinear circuit computing conv„ using at 
most h < (1 — e)n help gates, < e < 1. Referring to the partition of instructions 
in Definition 2.2, we assume that ' uses hi help gates, and that , r< 3 \ r< 4 ) 
use a total of hi help gates. Thus hi + /12 = h. Let fi, . . . , fk denote the linear 
forms computed by 

Assume /i 2 < r < n — hi and set R = rig n _ r (/i, . . . , /&). By Lemma 4.2 and 
Lemma 6.5 there exists an a G C n , such that the following conditions hold: 

(1) maxi^fclogl/jfa)! < log(2 v /M4fc)i?) < logi? + O(loglogn), 

(2) C, l2 (Circ(a)) > |(r - ft 2 ) logn - O(nloglogn). 

On the other hand, by Proposition 6.1 and using cr n _ r (/i, . . . , fk) > R, we get 

5(r)>C fcl (/i,...,/ fc ) > („- r -/ii)Iogfl-|. 
The proof of Lemma 2.4 shows that 

S{r)+n max log |/i(a)| > C fc2 (Circ(a)). 

l<i<k 

By combining all this we obtain 

1 + \S{T) + - — + 0(nloglogn) > -(r - h 2 ) logn. 

V n — r — h\) 2{n — r — hi) 2 

We set now r := [(^2 + « — fti)/2j . Then r + h\ < (1 — |)n and r — /i 2 > | n — 1. 
By plugging this into the above inequality we obtain 

e + 2 /c e 

<S(r) + — + 0(n log logn) > - nlogn. 

Let k := If fc < Kii logn + n, then S(T) > -^pp^ nlogn — 0(n log logn). On 
the other hand, if k > nnlogn + n, then trivially 

S(T) > C hl (fi, ■ ■ ■ ,/fc) > k - n > Knlogn. 

This completes the proof of the theorem. □ 
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